Systems Affected

Microsoft
Windows operating systems

Overview

This
Alert has been updated to reflect the National Cybersecurity and Communications
Integration Center's (NCCIC) analysis of the "NotPetya" malware
variant.The scope of
this Alert’s analysis is limited to the newest Petya malware variant that
surfaced on June 27, 2017. This malware is referred to as “NotPetya” throughout
this Alert.On June 27,
2017, NCCIC [13] was notified of Petya malware events
occurring in multiple countries and affecting multiple sectors. This variant of
the Petya malware—referred to as NotPetya—encrypts files with extensions from a
hard-coded list. Additionally, if the malware gains administrator rights, it
encrypts the master boot record (MBR), making the infected Windows computers
unusable. NotPetya differs from previous Petya malware primarily in its
propagation methods. The NCCIC
Code Analysis Team produced a Malware Initial Findings Report (MIFR) to provide
in-depth technical analysis of the malware. In coordination with public and
private sector partners, NCCIC is also providing additional indicators of
compromise (IOCs) in comma-separated-value (CSV) form for information sharing
purposes.Available
Files:

Microsoft
released a security update for the MS17-010 SMB vulnerability on March 14,
2017, which addressed the EternalBlue and EternalRomance lateral movement
techniques.Technical
DetailsNCCIC
received a sample of the NotPetya malware variant and performed a detailed
analysis. Based on the analysis, NotPetya encrypts the victim’s files with a
dynamically generated, 128-bit key and creates a unique ID of the victim.
However, there is no evidence of a relationship between the encryption key and
the victim’s ID, which means it may not be possible for the attacker to decrypt
the victim’s files even if the ransom is paid. It behaves more like destructive
malware rather than ransomware.NCCIC
observed multiple methods used by NotPetya to propagate across a network. The
first and—in most cases—most effective method, uses a modified version of the
Mimikatz tool to steal the user’s Windows credentials. The cyber threat actor
can then use the stolen credentials, along with the native Windows Management
Instrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility,
psexec.exe, to access other systems on the network. Another method for
propagation uses the EternalBlue exploit tool to target unpatched systems
running a vulnerable version of SMBv1. In this case, the malware attempts to
identify other hosts on the network by checking the compromised system’s IP
physical address mapping table. Next, it scans for other systems that are vulnerable
to the SMB exploit and installs the malicious payload. Refer to the malware
report, MIFR-10130295, for more details on these methods.The analyzed
sample of NotPetya encrypts the compromised system’s files with a 128-bit
Advanced Encryption Standard (AES) algorithm during runtime. The malware then
writes a text file on the “C:\” drive that includes a static Bitcoin wallet
location as well as unique personal installation key intended for the victim to
use when making the ransom payment and the user’s Bitcoin wallet ID. NotPetya
modifies the master boot record (MBR) to enable encryption of the master file
table (MFT) and the original MBR, and then reboots the system. Based on the
encryption methods used, it appears unlikely that the files could be restored,
even if the attacker received the victim’s unique key and Bitcoin wallet ID.The delivery
mechanism of NotPetya during the June 27, 2017, event was determined to be the
Ukrainian tax accounting software, M.E.Doc. The cyber threat actors used a
backdoor to compromise M.E. Doc’s development environment as far back as April
14, 2017. This backdoor allowed the threat actor to run arbitrary commands,
exfiltrate files, and download and execute arbitrary exploits on the affected
system. Organizations should treat systems with M.E.Doc installed as
suspicious, and should examine these systems for additional malicious activity.
[12]

Impact

According to
multiple reports, this NotPetya malware campaign has infected organizations in
several sectors, including finance, transportation, energy, commercial
facilities, and healthcare. While these victims are business entities, other
Windows systems are also at risk, such as:

those
that do not have patches installed for the vulnerabilities in MS17‑010,
CVE-2017-0144, and CVE-2017-0145, and

those
who operate on the shared network of affected organizations.

Negative
consequences of malware infection include:

temporary
or permanent loss of sensitive or proprietary information,

disruption
to regular operations,

financial
losses incurred to restore systems and files, and

potential
harm to an organization’s reputation.

Solution

NCCIC
recommends against paying ransoms; doing so enriches malicious actors while
offering no guarantee that the encrypted files will be released. In this
NotPetya incident, the email address for payment validation was shut down by
the email provider, so payment is especially unlikely to lead to data recovery.[1] According to one NCCIC stakeholder, the
sites listed below sites are used for payment in this activity. These sites are
not included in the CSV package as IOCs.hxxp://mischapuk6hyrn72[.]onion/
hxxp://petya3jxfp2f7g3i[.]onion/
hxxp://petya3sen7dyko2n[.]onion/
hxxp://mischa5xyix2mrhd[.]onion/MZ2MMJ
hxxp://mischapuk6hyrn72[.]onion/MZ2MMJ
hxxp://petya3jxfp2f7g3i[.]onion/MZ2MMJ
hxxp://petya3sen7dyko2n[.]onion/MZ2MMJNetwork
SignaturesNCCIC
recommends that organizations coordinate with their security vendors to ensure
appropriate coverage for this threat. Given the overlap of functionality and
the similarity of behaviors between WannaCry and NotPetya, many of the
available rulesets can protect against both malware types when appropriately
implemented. The following rulesets provided in publically available sources
may help detect activity associated with these malware types:

Recommended
Steps for PreventionReview
US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and
Recommended Mitigations [6], and consider implementing the
following best practices:

Ensure
you have fully patched your systems, and confirm that you have applied
Microsoft’s patch for the MS17-010 SMB vulnerability dated March 14, 2017.[5]

Conduct
regular backups of data and test your backups regularly as part of a
comprehensive disaster recovery plan.

Ensure
anti-virus and anti-malware solutions are set to automatically conduct
regular scans.

Manage
the use of privileged accounts. Implement the principle of least
privilege. Do not assign administrative access to users unless absolutely
needed. Those with a need for administrator accounts should only use them
when necessary.

Configure
access controls, including file, directory, and network share permissions
with the principle of least privilege in mind. If a user only needs to
read specific files, they should not have write access to those files,
directories, or shares.

Disable
SMBv1 and block all versions of SMB at the network boundary by blocking
TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139;
this applies to all boundary devices.

Note: Disabling or
blocking SMB may create problems by obstructing access to shared files, data,
or devices. Weigh the benefits of mitigation against potential disruptions to
users.Recommended
Steps for Remediation

NCCIC
strongly encourages organizations contact a local Federal Bureau of
Investigation (FBI) field office upon discovery to report an intrusion and
request assistance. Maintain and provide relevant logs.

Implement
a security incident response and business continuity plan. Ideally,
organizations should ensure they have appropriate backups so their
response is simply to restore the data from a known clean backup.

Report
NoticeDHS
encourages recipients who identify the use of tools or techniques discussed in
this document to report information to DHS or law enforcement immediately. To
request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov
or 888-282-0870. You can also report cyber crime incidents to the Internet
Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.

Tabula
Rosa Systems - Tabula Rosa Systems (TRS) is dedicated to providing Best
of Breed Technology and Best of Class Professional Services to
our Clients. We have a portfolio of products
which we have selected for their capabilities, viability and
value. TRS provides product, design, implementation and support
services on all products that we represent. Additionally, TRS
provides expertise in Network Analysis, eBusiness Application Profiling, ePolicy and eBusiness Troubleshooting.

We can be contacted at:

===============================================================In addition to this blog, Netiquette IQ
has a website with great
assets which are being added to on a regular basis. I have authored the
premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to
Improve,
Enhance and Add Power to Your Email". My new book, “You’re Hired! Super
Charge
Your Email Skills in 60 Minutes. . . And Get That Job!” has just been
published and will be followed by a trilogy of books on Netiquette for
young people. You can view my
profile, reviews of the book and content excerpts at:

Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.

In addition to this blog, I maintain a radio show on BlogtalkRadioand an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a
member of the International Business Etiquette and Protocol Group and
Minding Manners among others. I regularly consult for the Gerson Lehrman
Group, a worldwide network of subject matter experts and I have been
contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ andPSG of Mercer County, NJ.

Additionally, I am the president of Tabula Rosa Systems,
a “best of breed” reseller of products for communications, email,
network management software, security products and professional
services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.

Over
the past twenty-five years, I have enjoyed a dynamic and successful
career and have attained an extensive background in IT and electronic
communications by selling and marketing within the information
technology market.

No comments:

Post a Comment

About Us

Tabula Rosa Systems (TRS) is dedicated to providing Best of Breed Technology and Best of Class Professional Services to our Clients. We have a portfolio of products which we have selected for their capabilities, viability and value.